10-02-2008 07:03 AM - edited 03-06-2019 01:43 AM
Design:
1. ASA inside connects to Cat 6500 Switch.
2. Cat 6500 switch has all servers connected to it.
Now,
a) should the inside of the ASA map to one of the vlans on MSFC i.e. same subnet.
b) Secondly, if there is FWSM placed after MSFC, should the outside VLAN of FWSM be the same vlan as mentioned in point a) i.e. the inside of the perimeter ASA.
Regards.
Solved! Go to Solution.
10-02-2008 10:23 AM
No they could be the same if you wanted ie. you could have
ASA - FWSM - MSFC
but it really does depend on what you are trying to protect with both your ASA device and your FWSM. It can also make a difference if you are using other service modules in the 6500 such as a CSM/ACE module for load-balancing.
Perhaps if you expand on your requirements i could point you in the right direction.
Jon
10-02-2008 07:06 AM
Again it depends on what you are trying to do.
a) I would use a dedicated subnet for this so use a new vlan.
b) this entirely depends on what you want the FWSM to achieve. Bear in mind if it looks like this
ASA - MSFC - FWSM
then you have a router between your ASA and your FWSM so your FWSM may get bypassed. What are you trying to achieve with the FWSM ?
Jon
10-02-2008 09:42 AM
The incoming traffic flow is as you have stated i.e. ASA -> MSFC -> FWSM
So lets say for incoming flow I would have a vlan on MSFC (VLAN 100) which would map to ASA inside (i.e. same subnet) and I would also have a vlan on MSFC (vlan 101) which would map to FWSM outside vlan (i.e. same vlan/subnet).
Is it correct?
I am assuming both the vlans can never be the same due to the router in the way or can it be the same
Regards.
10-02-2008 10:23 AM
No they could be the same if you wanted ie. you could have
ASA - FWSM - MSFC
but it really does depend on what you are trying to protect with both your ASA device and your FWSM. It can also make a difference if you are using other service modules in the 6500 such as a CSM/ACE module for load-balancing.
Perhaps if you expand on your requirements i could point you in the right direction.
Jon
10-03-2008 03:13 AM
Thanks.
Design 1:
ASA - MSFC - FWSM
Now the Front end servers should be connected to the ASA and the backend server should be connected to FWSM. Ideally, front end servers should be on the DMZ of perimeter firewall.
If I were to follow that, then wouldn't two links terminate from ASA on Cat 6500 switchports i.e. (inside as well as DMZ). Or should I ignore the DMZ and just connect servers to CAT 6500 switchports on the inside of ASA.
10-03-2008 01:17 PM
Front end servers - if accessed from internet i would have on their own DMZ. To be very secure a separate dedicated switch would be the way to go. Nothing wrong with collapsing onto 6500 chassis but you need to be very careful with configuration changes !!
Now if the front-end servers are only ever going to communicate with the backend servers i would not have the MSFC in between - just not needed. You could just go straight to the outside of the FWSM. This would be a more secure setup. Bear in mind with FWSM even with base license you get 2 contexts to play with which means you could have
context1 - ASA - MSFC - FWSM (or maybe not bother with the ASA at all in this context)
context2 - ASA - FWSM - MSFC
Jon
10-04-2008 12:23 AM
Ok.
What could be the drawback if I only have one link out of ASA (i.e. INSIDE) terminating on Cat 6500 and connect the front end servers to it.
And the INSIDE gets connected to the FWSM OUTSIDE vlan.
10-04-2008 01:41 AM
if u mean that u creat inside L2 VLAN lets say vlan 100 which is the vlan that front end servers and inside ASA in
then here u need another vlan and ASA interface to let the FWSM and/MSFC communicat with forntend server securly through the ASA
or u might make the metioned vlan vlan 100 the vlan between ASA and FWSM directly in this case as JON told u u dont need the MSFC in between becuase u will might bypass one of the firewalls
good luck
10-04-2008 02:37 AM
No huge drawback although it is still unclear if these servers are to be accessed from the internet.
Anyway assuming they are and that you only want one interface from the ASA connecting to the 6500 then i would have the inside interface of the ASA on a L2 vlan that has no SVI on the MSFC. Place your front-end servers into that and then put the outside interface of your FWSM into that vlan as well. You can then do what you like behind the FWSM ie. you could have just DMZ's for the backend servers or you could allow traffic to hit the MSFC.
ASA - front-end servers - FWSM -> internal network.
The above would work but i'm not sure it's the optimal solution. It is difficult to recommend a good solution without seeing all the design requirements because what you do here could have a massive influence on other parts of your network.
Jon
10-04-2008 02:46 AM
good that my suggestion agree exactly with Jon's sugisstion
howerver i do agree with Jon that we need to know the whole requiremnts to be able to give u the logical design that suit ur requiremnts
as u have seen u can do it in several ways but u cant consider best one among them unless u know what u wanna achieve
thank you
10-04-2008 04:28 AM
Thanks all.
The front end servers shall be exposed to the internet traffic. It hosts web application getting approx. 100,000 hits every day.
My concern is that if the front end servers are connected to ASA Inside i.e. mapped to FWSM outside, then isn't it insecure, as all the internet traffic will only be one hop away from the backend. Whereas if the front end servers are placed in the DMZ (ASA), then internet traffic hitting front end will be two hops away from the backend. Could there possibily other loopholes/issues.
Regards.
10-04-2008 09:47 AM
With the information you have provided i would recommend that
1) The front-end servers should be on a DMZ of their own.
2) That this DMZ is on a dedicated switch that is not connected to the 6500.
3) That the inside of the ASA devices connects to a vlan that also has an SVI and which also connects to the outside interface
of your FWSM ie.
ASA - MSFC - FWSM
4) That the backend servers live behind the FWSM
Points to Note
1) There is an assumption that internal users will need access to the backend servers. This is why the MSFC is between the ASA which services the Internet and the FWSM which services both the internet and the internal users. If this is not the case and you have dedicated backend servers for the Internet connectivity then i would remove the MSFC from the equation. But bear in mind even if you do have dedicated backend servers, any other servers they rely on for normal operation would also have to dedicated eg. DNS - if these backend servers were dedicated to the Internet but they used your corporate internal DNS servers then you may well need to introduce the MSFC again so they can get to the DNS servers.
2) As mentioned previously there is a big advantage to having the DMZ on a separate switch. Yes you can collapse it all onto the 6500 chassis but it really only takes a slight misconfiguration and you have granted access where you didn't want to.
3) There is no mention of load-balancing although i suspect you are going to be using it. If so, are the load-balancing devices standalone or intergrated into the 6500 chassis. If intergrated this could explain why you might want to collapse the DMZ onto the 6500 chassis.
There are a lot of other things to consider with these sort of designs eg. IDS/IPS placement, load-balancing setup ie. routed/bridged/one-armed mode, FWSM setup ie. routed/transparent etc. but the above should hopefully be enough to get you started.
Jon
10-04-2008 11:27 AM
Jon,
This was quite benficial.
I would still like to know what will I be missing if
1. Front end servers are on the inside of ASA
2. Inside of ASA is directly mapped to outside of FWSM.
3. Single physical link from ASA to the Cat 6500
i.e. not having a DMZ (for front end servers) on ASA.
Quote
1) The front-end servers should be on a DMZ of their own.
Unquote
Why is it so ? Isn't inside only enough.
Yes, ACE module is used as load balancer on Cat 6500.
Regards.
10-05-2008 01:10 AM
Okay, if you are definitely not going to have the MSFC in between the ASA and the FWSM then that would be fine. But you need to factor in what will and won't work in that scenario, that's really all i was trying to explain.
What you describe is a quite common deployment in large enterprises with front-end and back-end firewall and secure subnets in between.
If you do have this setup then the backend servers would only be accessible from the internet unless you had a separate interface on the FWSM that did share a vlan with the MSFC for your internal users.
Jon
10-04-2008 04:05 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: